Popular messaging app WhatsApp has been compromised by an Israeli spy firm known as NSO Group. The espionage company exploited a vulnerability in the app that allows them to inject malware on targeted phones just by placing a call. WhatsApp issued a statement urging all its users to download the latest update which contains the patch to the vulnerability. Facebook, the parent company of WhatsApp, released a CVE identifying the vulnerability
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,”
-Statement by WhatsApp
The vulnerability is located on WhatsApp’s VOIP stack which allows malicious code to be executed remotely using SRTCP packets. The NSO Group use this vulnerability to inject code into a target phone just by placing a telephone call to the targeted phone. The hack does not require the user does to answer the call and can erase itself from the call log. Both the Android and iOS versions of WhatsApp are affected by the vulnerability.